From 447f1c5b85d28947dcf6dafda79c59d78b94d170 Mon Sep 17 00:00:00 2001
From: "Benito J. Gonzalez" <bgonzalez@unicon.net>
Date: Wed, 27 May 2026 12:41:28 -0700
Subject: [PATCH] Issue #948: Surface spam-folder hint on Login page, drop
 email-body redundancy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

@cbeach47's review of #946 pointed out the spam-folder hint in the
verification email body sits in the wrong surface area: if recipients
can read the email they don't need the hint; if it's in spam they
won't see it. The right place is the SPA at the moment the user is
about to register and start waiting for the code.

Add a small `<Text size="1" color="gray">` block under the
Sign In / Register button (Cognito branch only — the legacy username/
password flow doesn't email codes), and drop the now-redundant
parenthetical from the email body in `cognito-selfserve.yml`.

The verification email sender (`no-reply@verificationemail.com`) is
still Cognito's default — the proper fix is SES with a verified
sender domain, which needs AWS production-access approval and is
tracked under #941.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cloudformation/cognito-selfserve.yml       |  2 --
 frontends/mdr-frontend/src/pages/Login.tsx | 31 ++++++++++++++++------
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/cloudformation/cognito-selfserve.yml b/cloudformation/cognito-selfserve.yml
index fdcd2bc..fac6311 100644
--- a/cloudformation/cognito-selfserve.yml
+++ b/cloudformation/cognito-selfserve.yml
@@ -52,8 +52,6 @@ Resources:
           Enter this code on the registration page to complete sign-up. If
           you didn't request this account, no action is needed and the
           account will not be created.
-
-          (If you don't see this in your inbox, please check Spam / Junk.)
       Schema:
         - Name: email
           AttributeDataType: String
diff --git a/frontends/mdr-frontend/src/pages/Login.tsx b/frontends/mdr-frontend/src/pages/Login.tsx
index 3f72127..f223fad 100644
--- a/frontends/mdr-frontend/src/pages/Login.tsx
+++ b/frontends/mdr-frontend/src/pages/Login.tsx
@@ -89,14 +89,29 @@ const Login: React.FC = () => {
           )}
 
           {isCognitoEnabled ? (
-            <Button
-              size="3"
-              className="w-full"
-              disabled={isLoading}
-              onClick={handleCognitoLogin}
-            >
-              {isLoading ? "Redirecting..." : "Sign In / Register"}
-            </Button>
+            <>
+              <Button
+                size="3"
+                className="w-full"
+                disabled={isLoading}
+                onClick={handleCognitoLogin}
+              >
+                {isLoading ? "Redirecting..." : "Sign In / Register"}
+              </Button>
+              {/* The Cognito hosted UI sign-up flow emails a 6-digit code,
+                  and Cognito's default sender domain
+                  (no-reply@verificationemail.com) often hits Gmail / Outlook
+                  spam filters. Surface the spam-folder reminder *here* — at
+                  the moment the user is about to bounce to Cognito to sign
+                  up and is about to be waiting for that code — rather than
+                  inside the email body itself, where it's redundant if they
+                  see the mail and useless if they don't. Issue #948 (@cbeach47
+                  review of #946). */}
+              <Text size="1" color="gray" align="center" mt="1">
+                If you're registering, you'll receive a 6-digit code by email.
+                Check your Spam folder if it doesn't arrive within a minute.
+              </Text>
+            </>
           ) : (
             <form onSubmit={handleLegacySubmit}>
               <Flex direction="column" gap="3">